Making transactions only, or almost only, by QR codes

Question

I have a OnePlus 6 smartphone and I recently opened a bank account in a bank which seems to me very innovative in the context going payment card (debit/credit) free (using only application and/or cash).
It will not necessarily be my main bank account and as of now I don't see myself putting most of my money there, but I want to put there about 2,000 USD for now.

I have the bank application on my smartphone and I can pay worldwide with it with no fees/commissions via QR code until a generous amount.

My smartphone barely has any applications installed besides WhatsApp and Gmail.
I don't use a PIN code on my Smartphones for about 10 years now (I do use a PIN code for bank application though). I also never used fingerprint in my smartphone.

My question

What security measures should I take to secure my smartphone properly if I go payment card free and manage all payments, worldwide, by smartphone?

Update

I take back the notion (if I ever published here one) that one should go payment card free; I had two cases - one outside the country of the aforementioned bank, where my account was locked (due to some dual SIM card related behavior) and the application's mechanism to unlock it was very unintuitive and inconvenient to utilize so in that case, if I would have been only with my smartphone and lose all cash, I would not be able to handle economically easily.

Therefore, I advise against that method; I personally believe that the method of Smartphone as primary economic instrument with payment card as secondary (and reserve) economic instrument, with no cash at all; is best --- but I might be wrong.

Many banking applications terms of service may require that you have some level of protection on your device, make sure you're aware of what your responsibilities are. Otherwise they may fudge themselves out of coverage of unwanted/fraudulent transaction if people are free to take your mobile phone and transact with it. — Lie Ryan, Sep 05 '19 at 02:59
There is also malicious QR Code.. You can have a look at here https://null-byte.wonderhowto.com/how-to/create-malicious-qr-codes-hack-phones-other-scanners-0197416/ — Sir Muffington, Nov 14 '19 at 11:41

score 3 · Accepted Answer · edited Jun 16 '20 at 09:49

That probably depends on the banking application and how the bank allows you to recover a lost PIN. I would normally say "you should enable PIN or fingerprint authentication", but in fact you might not be required to. PIN/fingerprint is breakfast for security-aware individuals.

Let's analyse the few information you provided. That you are enabled to pay by QR and that you would like, as myself does, to manage all payments via smartphone.

I will not disclose the name of my bank, but will describe what major banks in Europe normally do. You did not describe how your bank works in the first place

Authentication at banking application level

Assuming you don't have fingerprints enabled, and/or if your bank app doesn't (yet) support that, most banks will, despite the great security APIs of Android, issue you a yet-another new PIN code that is valid only for themselves. It can be equal to your phone's PIN if they allow you to choose.

Since you have to reauthenticate at the banking application ever time you do something, from checking your balance to making a payment, they will be safe. Even if you lose your phone and who finds it has access to Whatsapp and all your emails, they will likely have no immediate access to your banking account. I will be writing a huge footnote.

That is the only security measure you can have, but depends on your bank. Note: we could write an entire book for this paragraph, including OTPs and PSD2 (European Payment Service Directive 2) but those will go beyond the scope of the question, which is about the security measures the OP can take.

Geolocation

A lot of banks require customers to disclose GPS location when doing anything. I am a bit skeptic about anti fraud systems, but at least on paper this works: they already know the location of stores where QR codes are exposed. Once you issue a QR payment, you are supposed to be at the place. QRs can still be sent over Whatsapp, printed and photo-copied for remote payments.

Root checking

Another things banks normally do is to limit or block functionality to ~~rooted~~ devices that do not pass SafetyNet hardware/software attestation.

Disclosure: I am Groot. I will never unroot. But I have to admit that they block root for a reason. Perhaps most of them because OWASP requires that.

In this case, payments with QR codes can be theoretically violated by a malicious root app that forces camera API to read a bogus static image with a QR code owned by attacker. Notice the emphasis on theoretically.

Footnote: recovering credentials on unlocked phone

This all depends on the bank. Losing an unlocked phone with access to email and messaging is dangerous per se, but might or might not be enough to steal money to you. I have already talked about banks requiring you a separate PIN/authentication to issue transactions.

But when you leave unrestricted access to your emails, danger is close. Let's put it extremely simply simple. If your bank allows you to recover a forgotten access code by simple means of SMS recovery and/or email confirmation, you are required to put additional security measures on your phone. A number of banks will at least require you to be physically at the branch before asking you for email/SMS confirmation. If your bank falls in this category, you still might have chances to live without PIN and fingerprints.

Summarizing

Most depends on the security model of your bank. It is trivial to require everyone to use a strong authentication to the phone, but as I have illustrated while banks do enforce their own security in banking applications, odds are that, according to the practices of your bank, you could have a big hole open in your security by leaving the phone unlocked.

score 1 · Answer 2 · answered Jul 01 '19 at 08:17

You need to protect against 2 things: theft and trojans/malware.

The model you specified is pretty safe from start. It is encrypted by default. You cannot access any data without the password/pin/pattern, if you have either set. If you unlock boot-loader, it will erase everything in the phone, including internal storage. So the anti-theft part is fine.

Against infection-based threats there are various solutions - you should choose one according to you needs and stick to it. You should always inform yourself about applications you want to install before installing them to preempt any possibility of rogue applications on your device.

The bank app's own functionality is the bank's problem and theres nothing you can do on your side for that.

Is it not only encrypted if a password or PIN is added, which OP says he does not do? — LTPCGO, Sep 05 '19 at 11:45

score 0 · Answer 3 · answered Sep 05 '19 at 05:55

0

You should at least do whatever the bank requires. For a similar application mine does require either a PIN (on the app-level) or a fingerprint unlock (on the app-level).

And that's all what I basically use, besides the phones screen lock.

answered Sep 05 '19 at 05:55

Marcel

3,494
1
18
35

Hello, thank you; I agree with you and up voted your answer; sorry for the edit reject - done by mistake; I should have clicked "reject and edit" as I desired a similar yet quite different title. Regards, – Sep 05 '19 at 10:49